Cisco ASA 5505 Configuration Manual page 1055

Chapter 48 Configuring Connection Settings
•
To disable randomized sequence numbers, uncheck Randomize Sequence Number.
Step 5
TCP initial sequence number randomization can be disabled if another in-line firewall is also
randomizing the initial sequence numbers, because there is no need for both firewalls to be performing
this action. However, leaving ISN randomization enabled on both firewalls does not affect the traffic.
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
security appliance randomizes the ISN of the TCP SYN passing in the outbound direction. If the
connection is between two interfaces with the same security level, then the ISN will be randomized in
the SYN in both directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new
connection and potentially hijacking the new session.
Step 6 To configure TCP normalization, check Use TCP Map. Choose an existing TCP map from the
drop-down list (if available), or add a new one by clicking New.
The Add TCP Map dialog box appears. See the
section on page
Click OK.
Step 7
Step 8 To set the time to live, check Decrement time to live for a connection.
Step 9 To enable TCP state bypass, in the Advanced Options area, check TCP State Bypass.
Step 10 Click OK or Finish.
Configuring Global Timeouts
The Configuration > Properties > Timeouts pane lets you set the timeout durations for use with the
adaptive security appliance. All durations are displayed in the format hh:mm:ss. It sets the idle time for
the connection and translation slots of various protocols. If the slot has not been used for the idle time
specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60
seconds after a normal connection close sequence.
Fields
In all cases, except for Authentication absolute and Authentication inactivity, unchecking the check
boxes means there is no timeout value. For those two cases, clearing the check box means to
reauthenticate on every new connection.
•
•
•
•
•
OL-20339-01
Half Closed Connection Timeout—Specifies the idle time until a half closed connection slot is freed.
Enter 0:0:0 to disable timeout for the connection. This duration must be at least 5 minutes. The
default is 10 minutes.
48-6.
Connection—Modifies the idle time until a connection slot is freed. Enter 0:0:0 to disable timeout
for the connection. This duration must be at least 5 minutes. The default is 1 hour.
Half-closed—Modifies the idle time until a TCP half-closed connection closes. The minimum is 5
minutes. The default is 10 minutes. Enter 0:0:0 to disable timeout for a half-closed connection.
UDP—Modifies the idle time until a UDP protocol connection closes. This duration must be at least
1 minute. The default is 2 minutes. Enter 0:0:0 to disable timeout.
ICMP—Modifies the idle time after which general ICMP states are closed.
H.323—Modifies the idle time until an H.323 media connection closes. The default is 5 minutes.
Enter 0:0:0 to disable timeout.
"Customizing the TCP Normalizer with a TCP Map"
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring Connection Settings
48-9